This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

Setting session data on authentication

Feb 6th, 2009, 11:39 AM

I would like the following events to happen:

(1) Flex application at some point asks the user to login.
(2) Application server authenticates the user and sets hidden data in the session (e.g. userID)
(3) Flex application issues a request for data.
(4) Application server extracts the hidden data and then uses it to complete the request (e.g. "SELECT r FROM Records r WHERE id=userID").

The first step is handled by using custom authentication on the Flex side. The rest is a bit murky. This must be a common problem and I don't doubt that there is a RTFM answer somewhere.

Comment

Why would you not use a shared object on the flex side to keep track of the logged in user?

I assume that you are suggesting creating a User object which contains the user data and then using this in Flex. This has a real benefit of allowing most back-end operations to be stateless, but it should be avoided when application security is a priority. Here's why:

Good security practices prohibit passing the user identifier outside of BlazeDS to the Flex side. As the endpoint (i.e. desktop or mobile phone) is not secure and as the application can be modified or replaced, the programmer must assume that all data passed to Flex is accessible to a malicious entity. If the back-end passes 'userID = 2' to Flex then a compromised application might update the identity claim 'userID = 5' before making a request to access data for a different user.

Instead unique session identifier is typically generated by the application server and key data is attached to and obtained from the session by the application. The FlexContext is one such mechanism.